Adobe has released Flash Player 11.2.202.394 for Linux to correct the following flaws: These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671). External References: http://helpx.adobe.com/security/products/flash-player/apsb14-17.html
IssueDescription: A flaw was found that would lead to Cross-Site Request Forgery (CSRF) attacks.
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:0860 https://rhn.redhat.com/errata/RHSA-2014-0860.html
Detailed write-up of the issue form its reporter: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ Tools to generate SWF files encoded in ASCII-only: https://github.com/mikispag/rosettaflash Metasploit module exploiting this issue: http://www.rapid7.com/db/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb